IETF Last Call Review of draft-ietf-oauth-selective-disclosure-jwt-17
review-ietf-oauth-selective-disclosure-jwt-17-genart-lc-fossati-2025-04-11-00
review-ietf-oauth-selective-disclosure-jwt-17-genart-lc-fossati-2025-04-11-00
I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at <https://wiki.ietf.org/en/group/gen/GenArtFAQ>. Document: draft-ietf-oauth-selective-disclosure-jwt-17 Reviewer: Thomas Fossati Review Date: 2025-04-11 IETF LC End Date: 2025-04-14 IESG Telechat date: Not scheduled for a telechat Summary: The document describes SD-JWT, a mechanism for blinding and selectively disclosing JWT claims. SD-JWTs are traded by three parties: issuer, holder and verifier. The issuer of an SD-JWT creates the blinded JWT along with the individual “disclosures" (i.e., the clear-text claims plus the random salt used in the blinding process) for the holder. Subsequently, the holder presents the blinded JWT and the required disclosures to the verifier, who can access the selectively disclosed claims and is provided with cryptographic proof of their integrity and authenticity. This model has practical and valuable applications. The design is solid, and the document is crafted with care, clarity, detail, and plenty of examples. All IANA requests (JWT claims, media types and SSS) look good to this reviewer. Same for the references. From a Gen-ART perspective, the document is ready. Major issues: none Minor issues: none Nits/editorial comments: none